New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Replace request@2.79.0 by request@2.88.0 (or latest) #13

Closed
yocarbo opened this Issue Sep 11, 2018 · 3 comments

Comments

Projects
None yet
2 participants
@yocarbo

yocarbo commented Sep 11, 2018

Hello,

✗ Medium severity vuln found in tunnel-agent@0.4.3, introduced via ascii-art@1.4.4
Description: Uninitialized Memory Exposure
Info: https://snyk.io/vuln/npm:tunnel-agent:20170305
From: ascii-art@1.4.4 > request@2.79.0 > tunnel-agent@0.4.3

✗ Medium severity vuln found in cryptiles@2.0.5, introduced via ascii-art@1.4.4
Description: Insecure Randomness
Info: https://snyk.io/vuln/npm:cryptiles:20180710
From: ascii-art@1.4.4 > request@2.79.0 > hawk@3.1.3 > cryptiles@2.0.5

Regards,

@khrome

This comment has been minimized.

Owner

khrome commented Sep 15, 2018

so this is an exploit about using auth with unchecked user supplied credentials. The other issue is likewise around crypto that is not active or used in my application. Given that my use of request is an unauthenticated file transfer of text data, I would characterize my exposure surface to these issues as nonexistent. If this is the product of an institutional security autoscanner and we're just checking boxes in the name of security absolution, the right thing to do is submit a Pull Request with the change.

@khrome

This comment has been minimized.

Owner

khrome commented Nov 1, 2018

I had other changes to publish, so I made this change as well. Thanks for the report.

@khrome khrome closed this Nov 1, 2018

@yocarbo

This comment has been minimized.

yocarbo commented Nov 13, 2018

Thanks for update ;)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment